Pre-loaded malware found on Xiaomi Mi 4 device, among other issues

Bluebox Security tested a popular smartphone in China and found a number of major security issues, including pre-installed malicious apps and numerous vulnerabilities.

The smartphone, a Xiaomi Mi 4 LTE device, was first verified to be a legitimate device by Xiaomi, the world's third largest smartphone distributor. Andrew Blaich of Bluebox revealed Thursday that the phone ran a "forked," or not certified, form on Android largely based on the MIUI ROM.

In addition to detecting pre-loaded “suspicious apps"on the device, categorized as malware, spyware or adware, Bluebox saw that the phone was vulnerable to every bug it scanned for, except Heartbleed. Several conflicting API build properties were also observed, meaning it was “unclear if [the] build of the software was meant for testing or release to consumers,” Blaich explained.

Bluebox disclosed the issues to Xiaomi, which did not follow up with the security firm.

UPDATE: Despite Bluebox's efforts to check the authenticity of the device, Xiaomi said that the firm's security analysis was actually done on a counterfeit smartphone.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.